• How to Prioritize Controls Based on Cost and Risk:

The priority of a control is based on its cost-effectiveness. Controls that protect assets with higher

risk exposure relative to the cost of the control should be prioritized. The formula to calculate cost-

effectiveness is: Cost-Effectiveness=Cost of ControlAsset Amount at Risk\text{Cost-Effectiveness} =

\frac{\text{Cost of Control}}{\text{Asset Amount at Risk}}Cost-Effectiveness=Asset Amount at

RiskCost of Control

Lower ratios indicate more cost-effective controls.

• Calculations:

Asset A: $15,000 / $150,000 = 0.10 (10%)

Asset B: $2,500 / $6,000 = 0.42 (42%)

Asset C: $50,000 / $2,000,000 = 0.025 (2.5%)

Asset D: $20,000 / $500,000 = 0.04 (4%)

• Lowest Priority:

Asset B has the highest ratio (42%), meaning it is the least cost-effective and should be the lowest

priority for controls.

• Reference and Documents:

COSO Internal Control Framework: Discusses cost-benefit analysis for prioritizing controls.

GAO Risk Management Guide: Emphasizes evaluating control cost-effectiveness relative to asset risk.